启用防火墙后无法进入AWS EC2

Question

After enabling the firewall with 'sudo ufw enable' I can no longer ssh into my ec2 instance. Any way to recover from this? I'm guessing I should have done something like 'sudo ufw allow ssh' but didn't do that before exiting the session. Also, if I had done that, would I be able to ssh in after that, or is there something else I would need to do? Thanks.

Answer 1

You can recover, but the process is a bit involved.

You will need to detach the volume and reattach it to a new instance. Mount the volume, then find and edit the configuration file to allow ssh through.

Once you are done, you can swap the volume back to the original instance.

In most cases, if you are in VPC and using security groups correctly, you probably wont need a software firewall enabled. Security groups can handle most of the common firewall uses.

Answer 2

Success! @datasage provided the general steps to recover. Here are the details of the actual files I had to change, for anyone else who might need the details.

After creating a new instance and mounting the original OS volume as a data volume to /mnt/ufwOOPS, I made the following changes to the files in /mnt/ufwOOPS/lib/ufw, the manual equivalent to 'sudo ufw allow 22':

Add the following 3 lines, respectively, to the ## RULES ## section of user.rules and user6.rules

user.rules:

### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -j ACCEPT

user6.rules:

### tuple ### allow any 22 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 22 -j ACCEPT
-A ufw6-user-input -p udp --dport 22 -j ACCEPT

Thanks for the tip @datasage!